One of a series of posts on the forthcoming Investigatory
Powers Bill
Mandatory
communications data retention is already a battleground. The Conservatives did
not get their way over the Communications Data Bill in 2012. The coalition government pushed DRIPA through
Parliament in 2014 with indecent haste. In July 2015 the current administration
lost the first round of the judicial review challenge to DRIPA. The government
has said it will appeal.
The
court judicial review judgment did not hold that the CJEU DRI decision had
outlawed a general data retention obligation as such. The government has been given until March
2016 to implement new legislation remedying the defects identified by the
court.
We
can expect more blood on the floor in this area. Some likely issues include:
The boundary between content and communications data is likely to be revisited. As well as its more general implications a change in the dividing line would have a particular impact on the proposed Communications Data Bill third party data collection scheme (discussed below). The Joint Committee described how the data would be collected:
"It would be necessary to place data probes within a CSP’s network and those probes would be programmed to generate information from network links within the CSP. Deep Packet Inspection (DPI) would be used to isolate key pieces of information from data packets in a CSP’s network traffic." [91]
Under RIPA that type of activity would be an interception, unless restricted to the acquisition of traffic data “comprised in or attached to a communication … for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted.”
The
draft CDB specifically did not authorise any conduct that would amount to an
interception. Difficult questions would have arisen about how far DPI for this
purpose could go before it became an unlawful interception. If the definition
of traffic data were to be widened as the result of a review of the boundary
between content and communications data, then the potential scope of third
party data collection would be automatically broadened.
Recommendations
by the three Reviews on the boundary between content and communications data:
ISC
|
In relation to communications, given
the controversy and confusion around access to Communications Data, we
believe that the legislation should clearly define the following terms:
‘Communications Data’ should be
restricted to basic information about a communication, rather than data which
would reveal a person’s habits, preferences or
lifestyle choices. This should be limited to basic information such as
identifiers (email address, telephone number, username, IP address), dates,
times, approximate location, and subscriber information.
‘Communications Data Plus’ would
include a more detailed class of information which could reveal private
information about a person’s habits, preferences or
lifestyle choices, such as websites visited. Such data is more intrusive and
therefore should attract greater safeguards.
‘Content-Derived Information’ would
include all information which the Agencies are able to generate from a
communication by analysing or processing the content. This would continue to
be treated as content in the legislation. (Recommendation AAA)
|
Anderson
|
The definitions of content and of
communications data, and any subdivisions, should be reviewed, with input
from all interested parties including service providers, technical experts
and NGOs, so as to ensure that they properly reflect both current and
anticipated technological developments and the privacy interests attaching to
different categories of material and data. Content and communications data
should continue to be distinguished from one other, and their scope should be
clearly delineated in law. (Recommendation 12)
|
RUSI
|
Following evidence received by the
ISR Panel and further discussion with civil-liberties groups and
communications service providers (CSPs), we recommend that definitions of
content data and of communications data should be reviewed as part of the
drafting of new legislation. They should be clearly delineated in law.
(Recommendation 3)
|
Compelled data
generation. The current data
retention law (DRIPA) can require data to be retained only if it is already
generated or processed in the UK by the service provider in the course of
providing its service.
The voluntary communications data retention provisions of
Section 102 ATCSA 2001 are narrower.
They only apply to retention of communications data obtained by or held
by telecommunications service providers. The Code of Practice makes clear this
simply extends the retention period where data is already held for the CSP’s
own business purposes. This is a higher
threshold than mere generation or processing. However unlike this aspect of
DRIPA, ATCSA is not limited to the UK.
The Communications Data Bill would for the first time have
enabled a provider to be compelled to generate data. This could for instance have been used to
require a provider to collect identifying details of a user. Many would regard this as crossing a red line
between facilitating the authorities’ access to whatever data may already be out there
and requiring a provider to design its business to suit the authorities.
For whatever reason – possibly the terms of the voluntary
ATCSA Code – it is sometimes assumed that under current law mandatory data retention
can only apply to data already retained for some period for the CSP’s own
business purposes. However as the Home Office correctly stated in its
response to the consultation on the Data Retention Code of Practice under
DRIPA:
“DRIPA and the preceding legislation provided for the retention of data that was generated or processed by a CSP as part of providing a service. There has never been a requirement for a CSP to retain data for business purposes before it can be retained further.”
Even so, currently a CSP cannot be required to create data
that it does not already generate or process in the UK. That condition applies to the new category of 'relevant internet data' added by CTSA 2015 as well as to the original categories covered by DRIPA.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.